(1) Thu Dec 30 2010 08:09Prerequisite:
It's the end of the year, and time for the traditional navel-gazing. I was going to shun the sight of my own navel this year, but as I get older these roundups are very useful, both at the time and in retrospect, so let's go for it. Unlike last year, I'm not going to go crazy putting up all the photo galleries I neglected to put up throughout the year. I do have some cool photo galleries I'd like to show you, but I don't have time.

Because the theme of 2010 is not having time for things. I had a huge project in the form of Constellation Games, and Sumana had a lot of personal work taking care of her mom, and just about everything else fell by the wayside. As such, a big part of the 2010 wrapup will be things that happened in 2010 that I need to carry over.

The conclusion of the second half of the paper--that desktop developers hate browser-based OAuth token authorization models and will do almost any amount of work to hack around one--turned out to be a major driver of my work for Canonical in the second half of 2010. And I really want to write a follow-up essay because I've discovered that to a first approximation, the desktop developers were right. I was making them do a lot of extra work for no security benefit, because I was applying a web-based security model to the desktop. But, it's 2010, year of not having enough time.

I do want to highlight this quote from my paper:

I propose a natural experiment: as I write, a client for the Twitter
web service can authenticate its requests using an OAuth token, or by
providing a Twitter username and password with HTTP Basic Auth.
Twitter developers plan to deprecate Basic Auth starting in June 2010.
I predict that as Basic Auth is deprecated, client-side Twitter
hackers will resist Twitter's OAuth token authorization protocol, just
as client-side Launchpad hackers resisted Launchpad's similar
protocol.

Well, that sure happened. At the time, people referred to the changeover as the "OAuthpocalypse". Or possibly the #oauthpocalypse, I'm not really up on these things. And that's for a web service for which real bad guys would really like to grab your credentials, so in theory OAuth could be a very nice feature. Here's Jon Udell describing how to make Twitter's token authorization protocol feel like Basic Auth.

More later. Now to hang out with Sumana before she leaves for Washington. Because it's still 2010 and there's still not enough time.